11-22-2012 07:34 AM - edited 03-11-2019 05:26 PM
Hi all. I'm wondering how to read some of these log entries I see on the IOS 15.2 router I'm working with. I'm fairly new to this stuff. My understanding is that the first socket (123.123.123.123:port#) is the originating one, and the 2nd socket is the receiving or destination. This makes sense when I see an entry like:
01043: *Nov 21 2012 10:28:34.323 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.241.163:39557 192.168.xx.xx:80 due to RST inside current window with ip ident 0
The internal IP is our email server inside the LAN, the first IP is some IP in a foreign country, so someobody visited our web interface for the email server, obviously trying to breach or recon the interface but whatever.
Then I see an (unrelated) entry like this elsewhere in the logs:
001095: *Nov 21 2012 25:56:03.531 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.178.210:25 192.168.xx.xx:47343 on zone-pair inside-outside class INSIDE-OUTSIDE due to Stray Segment with ip ident 0
What this latter entry tells me is that the Internet host sent data FROM port 25 to what I am guessing is the open port our internal email server must have originated some other communication from. However we do not accept incoming port 25 mail from anywhere but a designated IP so this "send" is not supposed ot occur.
So first off, am I reading that correctly? Is the first IP the sending system, and the second IP the receiver?
Oddly, there are no other entries in the logs between these two hosts, so either the logs have truncated with oldest entries removed (log buffer is set to 51200), or that outside host is sencding, hoping to get our meil server torespond? BTW, the outside host WHOIS's to Microsoft's IP range, Block 1.
So, main question is how to read these log lines but also any other comments are welcome.
Thank you.
Solved! Go to Solution.
11-22-2012 09:04 AM
Hello Colin,
1043: *Nov 21 2012 10:28:34.323 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.241.163:39557 192.168.xx.xx:80 due to RST inside current window with ip ident 0
so someobody visited our web interface for the email server??
That is correct
001095: *Nov 21 2012 25:56:03.531 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.178.210:25 192.168.xx.xx:47343 on zone-pair inside-outside class INSIDE-OUTSIDE due to Stray Segment with ip ident 0
What this latter entry tells me is that the Internet host sent data FROM port??
It is true but this happens because one of your inside hosts started the communication to this SMTP server, so the outside SMTP is just replying back to you.
So first off, am I reading that correctly? Is the first IP the sending system, and the second IP the receiver?
Yes,
I think that answer all of your questions.
11-22-2012 09:04 AM
Hello Colin,
1043: *Nov 21 2012 10:28:34.323 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.241.163:39557 192.168.xx.xx:80 due to RST inside current window with ip ident 0
so someobody visited our web interface for the email server??
That is correct
001095: *Nov 21 2012 25:56:03.531 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.178.210:25 192.168.xx.xx:47343 on zone-pair inside-outside class INSIDE-OUTSIDE due to Stray Segment with ip ident 0
What this latter entry tells me is that the Internet host sent data FROM port??
It is true but this happens because one of your inside hosts started the communication to this SMTP server, so the outside SMTP is just replying back to you.
So first off, am I reading that correctly? Is the first IP the sending system, and the second IP the receiver?
Yes,
I think that answer all of your questions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide